From: Navid Emamdoost
[ Upstream commit 5509ac65f2fe5aa3c0003237ec629ca55024307c ]
in amdgpu_drm_ioctl the call to pm_runtime_get_sync increments the
counter even in case of failure, leading to incorrect
ref count. In case of failure, decrement the ref count before returning.
Signed-off-by: Nav
From: Guchun Chen
[ Upstream commit 5e91160ac0b5cfbbaeb62cbff8b069262095f744 ]
RAS context memory needs to freed in failure case.
Signed-off-by: Guchun Chen
Reviewed-by: Tao Zhou
Signed-off-by: Alex Deucher
Signed-off-by: Sasha Levin
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 19 +++
From: Navid Emamdoost
[ Upstream commit e008fa6fb41544b63973a529b704ef342f47cc65 ]
in amdgpu_display_crtc_set_config, the call to pm_runtime_get_sync
increments the counter even in case of failure, leading to incorrect
ref count. In case of failure, decrement the ref count before returning.
Sig
From: Chao Yu
[ Upstream commit 9627a7b31f3c4ff8bc8f3be3683983ffe6eaebe6 ]
- don't panic kernel if f2fs_get_node_page() fails in
f2fs_recover_inline_data() or f2fs_recover_inline_xattr();
- return error number of f2fs_truncate_blocks() to
f2fs_recover_inline_data()'s caller;
Signed-off-by: Chao
From: Aditya Pakki
[ Upstream commit 78c2ce9bde70be5be7e3615a2ae7024ed8173087 ]
On calling pm_runtime_get_sync() the reference count of the device
is incremented. In case of failure, decrement the
reference count before returning the error.
Signed-off-by: Aditya Pakki
Cc: k...@umn.edu
Cc: wu00
From: Kaige Li
[ Upstream commit 61eee4a7fc406f94e441778c3cecbbed30373c89 ]
Add the new PCI ID 0x0014 0x7a07 to support Loongson 7A1000 controller.
Signed-off-by: Kaige Li
Link:
https://lore.kernel.org/r/1594954292-1703-2-git-send-email-lika...@loongson.cn
Signed-off-by: Takashi Iwai
Signed-
From: Jiaxun Yang
[ Upstream commit 01edc5e76ecfecf9a79eec2658f6146ef47bc816 ]
After tons of fixes to get Trap-and-Emulate build on Loongson64,
I've got panic on host machine when trying to run a VM.
I found that it can never work on 64bit systems. Revewing the
code, it looks like R6 can't supp
From: Hans Verkuil
[ Upstream commit 6c42227c3467549ddc65efe99c869021d2f4a570 ]
Fix this smatch warning:
drivers/media/cec/core/cec-api.c:156 cec_adap_g_log_addrs() warn: check that
'log_addrs' doesn't leak information (struct has a hole after
'features')
Signed-off-by: Hans Verkuil
Signed-o
On 2020-09-01 04:45, Samuel Dionne-Riel wrote:
On Mon, 31 Aug 2020 10:27:37 +0100
Marc Zyngier wrote:
Ah, so actually anything that *enables pcie* kills your system.
Great investigative work!
>
> And backed by a further bisection with this that points to
> d84c572de1a360501d2e439ac632126f5fac
From: Arnd Bergmann
[ Upstream commit b648a5132ca3237a0f1ce5d871fff342b0efcf8a ]
The kernel test robot pointed out a slightly different error message
after recent commit 5456ffdee666 ("powerpc/spufs: simplify spufs core
dumping") to spufs for a configuration that never worked:
powerpc64-linu
From: Qiushi Wu
[ Upstream commit 20eca0123a35305e38b344d571cf32768854168c ]
kobject_init_and_add() takes reference even when it fails.
If this function returns an error, kobject_put() must be called to
properly clean up the memory associated with the object.
Signed-off-by: Qiushi Wu
Reviewed-
From: Bodo Stroesser
[ Upstream commit 5a0c256d96f020e4771f6fd5524b80f89a2d3132 ]
If tcmu_handle_completions() has to process a padding shorter than
sizeof(struct tcmu_cmd_entry), the current call to
tcmu_flush_dcache_range() with sizeof(struct tcmu_cmd_entry) as length
param is wrong and causes
From: Aditya Pakki
[ Upstream commit bfad51c7633325b5d4b32444efe04329d53297b2 ]
nouveau_fbcon_open() calls calls pm_runtime_get_sync() that
increments the reference count. In case of failure, decrement the
ref count before returning the error.
Signed-off-by: Aditya Pakki
Signed-off-by: Ben Ske
From: Jason Baron
[ Upstream commit 709ed1bcef12398ac1a35c149f3e582db04456c2 ]
The Intel uncore driver may claim some of the pci ids from ie31200 which
means that the ie31200 edac driver will not initialize them as part of
pci_register_driver().
Let's add a fallback for this case to 'pci_get_de
From: Gwendal Grignou
[ Upstream commit e48bc01ed5adec203676c735365373b31c3c7600 ]
EC is using 32 bit timestamps (us), and before converting it to 64bit
they were not casted, so it would overflow every 4s.
Regular overflow every ~70 minutes was not taken into account either.
Signed-off-by: Gwen
From: Javed Hasan
[ Upstream commit e95b4789ff4380733006836d28e554dc296b2298 ]
In fcoe_sysfs_fcf_del(), we first deleted the fcf from the list and then
freed it if ctlr_dev was not NULL. This was causing a memory leak.
Free the fcf even if ctlr_dev is NULL.
Link: https://lore.kernel.org/r/2020
From: David Brazdil
[ Upstream commit b38b298aa4397e2dc74a89b4dd3eac9e59b64c96 ]
__hyp_call_panic_nvhe contains inline assembly which did not declare
its dependency on the __hyp_panic_string symbol.
The static-declared string has previously been kept alive because of a use in
__hyp_call_panic_v
From: Jarkko Nikula
[ Upstream commit f46efbcad97bfb2caded0397eccce7c71402868c ]
Add SMBus PCI ID on Intel Tiger Lake PCH-H.
Signed-off-by: Jarkko Nikula
Reviewed-by: Jean Delvare
Signed-off-by: Wolfram Sang
Signed-off-by: Sasha Levin
---
drivers/i2c/busses/i2c-i801.c | 4
1 file chan
From: Kefeng Wang
[ Upstream commit eaecca9e7710281be7c31d892c9f447eafd7ddd9 ]
The __cpu_logical_map undefined issue occued when the new
tegra194-cpufreq drvier building as a module.
ERROR: modpost: "__cpu_logical_map" [drivers/cpufreq/tegra194-cpufreq.ko]
undefined!
The driver using cpu_logi
From: Changming Liu
[ Upstream commit 2b53a19284f537168fb506f2f40d7fda40a01162 ]
The char buffer buf, receives data directly from user space,
so its content might be negative and its elements are left
shifted to form an unsigned integer.
Since left shifting a negative value is undefined behavio
From: Andrey Konovalov
[ Upstream commit 2c547f9da0539ad1f7ef7f08c8c82036d61b011a ]
When CONFIG_EFI is not enabled, we might get an undefined reference to
efi_enter_virtual_mode() error, if this efi_enabled() call isn't inlined
into start_kernel(). This happens in particular, if start_kernel()
From: Ansuel Smith
[ Upstream commit 8b6f0330b5f9a7543356bfa9e76d580f03aa2c1e ]
Aux and Ref clk are missing in PCIe qcom driver. Add support for this
optional clks for ipq8064/apq8064 SoC.
Link: https://lore.kernel.org/r/20200615210608.21469-2-ansuels...@gmail.com
Fixes: 82a823833f4e ("PCI: qco
From: Qu Wenruo
[ Upstream commit a7f8b1c2ac21bf081b41264c9cfd6260dffa6246 ]
The incoming qgroup reserved space timing will move the data reservation
to ordered extent completely.
However in btrfs_punch_hole_lock_range() will call
btrfs_invalidate_page(), which will clear QGROUP_RESERVED bit fo
From: Pablo Neira Ayuso
[ Upstream commit 77a92189ecfd061616ad531d386639aab7baaad9 ]
Replace EBUSY by EEXIST in the following cases:
- If the user adds a chain with a different configuration such as different
type, hook and priority.
- If the user adds a non-base chain that clashes with an e
From: Li Guifu
[ Upstream commit 99c787cfd2bd04926f1f553b30bd7dcea2caaba1 ]
During umount, f2fs_put_super() unregisters procfs entries after
f2fs_destroy_segment_manager(), it may cause use-after-free
issue when umount races with procfs accessing, fix it by relocating
f2fs_unregister_sysfs().
[
From: Ansuel Smith
[ Upstream commit ee367e2cdd2202b5714982739e684543cd2cee0e ]
Add missing ext reset used by ipq8064 SoC in PCIe qcom driver.
Link: https://lore.kernel.org/r/20200615210608.21469-5-ansuels...@gmail.com
Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver")
Signe
From: Michael Ellerman
[ Upstream commit 4d618b9f3fcab84e9ec28c180de46fb2c929d096 ]
The build is currently broken, if COMPILE_TEST=y and PPC_PMAC=n:
linux/drivers/video/fbdev/controlfb.c: In function ‘control_set_hardware’:
linux/drivers/video/fbdev/controlfb.c:276:2: error: implicit declar
From: Lucas Stach
[ Upstream commit 50248a3ec0f5e5debd18033eb2a29f0b793a7000 ]
The drm scheduler currently expects that the stop/start sequence is always
executed in the timeout handling, as the job at the head of the hardware
execution list is always removed from the ring mirror before the driv
From: Christophe JAILLET
[ Upstream commit 07c8434150f4eb0b65cae288721c8af1080fde17 ]
If a memory allocation fails within a 'usb_ep_alloc_request()' call, the
already allocated memory must be released.
Fix a mix-up in the code and free the correct requests.
Fixes: c52661d60f63 ("usb-gadget: In
From: Martin Wilck
[ Upstream commit 93eb0381e13d249a18ed4aae203291ff977e7ffb ]
If there's only one usable, non-optimized path, nvme_round_robin_path()
returns NULL, which is wrong. Fix it by falling back to "old", like in
the single optimized path case. Also, if the active path isn't changed,
t
From: Yufen Yu
[ Upstream commit 27029b4b18aa5d3b060f0bf2c26dae254132cfce ]
Normally, blkcg_iolatency_exit() will free related memory in iolatency
when cleanup queue. But if blk_throtl_init() return error and queue init
fail, blkcg_iolatency_exit() will not do that for us. Then it cause
memory l
From: Tianjia Zhang
[ Upstream commit f34448cd0dc697723fb5f4118f8431d9233b370d ]
On an error exit path, a negative error code should be returned
instead of a positive return value.
Fixes: e399441de9115 ("nvme-fabrics: Add host support for FC transport")
Cc: James Smart
Signed-off-by: Tianjia Z
From: Tobias Schramm
[ Upstream commit ae1ba50f1e706dfd7ce402ac52c1f1f10becad68 ]
Previously the stm32h7 interrupt thread cleared all non-masked interrupts.
If an interrupt was to occur during the handling of another interrupt its
flag would be unset, resulting in a lost interrupt.
This patches
From: zhangyi (F)
[ Upstream commit bc71726c725767205757821df364acff87f92ac5 ]
There is a risk of filesystem inconsistency if we failed to async write
back metadata buffer in the background. Because of current buffer's end
io procedure is handled by end_buffer_async_write() in the block layer,
a
From: Jan Kara
[ Upstream commit 11215630aada28307ba555a43138db6ac54fa825 ]
A customer has reported a BUG_ON in ext4_clear_journal_err() hitting
during an LTP testing. Either this has been caused by a test setup
issue where the filesystem was being overwritten while LTP was mounting
it or the jo
From: Ming Lei
[ Upstream commit af822aa68fbdf0a480a17462ed70232998127453 ]
1f23816b8eb8 ("virtio_blk: add discard and write zeroes support") starts
to support multi-range discard for virtio-blk. However, the virtio-blk
disk may report max discard segment as 1, at least that is exactly what
qemu
From: J. Bruce Fields
[ Upstream commit 34b09af4f54e6485e28f138ccad159611a240cc1 ]
If an NFSv2/v3 client breaks an NFSv4 client's delegation, it will hit a
NULL dereference in nfsd_breaker_owns_lease().
Easily reproduceable with for example
mount -overs=4.2 server:/export /mnt/
From: Lukas Czerner
[ Upstream commit f25391ebb475d3ffb3aa61bb90e3594c841749ef ]
Currently there is a problem with mount options that can be both set by
vfs using mount flags or by a string parsing in ext4.
i_version/iversion options gets lost after remount, for example
$ mount -o i_version /d
From: zhangyi (F)
[ Upstream commit c044f3d8360d2ecf831ba2cc9f08cf9fb2c699fb ]
If we free a metadata buffer which has been failed to async write out
in the background, the jbd2 checkpoint procedure will not detect this
failure in jbd2_log_do_checkpoint(), so it may lead to filesystem
inconsisten
From: Lukas Czerner
[ Upstream commit 273108fa5015eeffc4bacfa5ce272af3434b96e4 ]
Ext4 uses blkdev_get_by_dev() to get the block_device for journal device
which does check to see if the read-only block device was opened
read-only.
As a result ext4 will hapily proceed mounting the file system wit
From: Lukas Czerner
[ Upstream commit 24dc9864914eb5813173cfa53313fcd02e4aea7d ]
Callers of __jbd2_journal_unfile_buffer() and
__jbd2_journal_refile_buffer() assume that the b_transaction is set. In
fact if it's not, we can end up with journal_head refcounting errors
leading to crash much later
From: Toke Høiland-Jørgensen
[ Upstream commit 23ab656be263813acc3c20623757d3cd1496d9e1 ]
Turns out there were a few more instances where libbpf didn't save the
errno before writing an error message, causing errno to be overridden by
the printf() return and the error disappearing if logging is e
From: Andrii Nakryiko
[ Upstream commit 5705d705832f74395c5465ce93192688f543006a ]
Ensure that types are memory layout- and field alignment-compatible regardless
of 32/64-bitness mix of libbpf and BPF architecture.
Signed-off-by: Andrii Nakryiko
Signed-off-by: Alexei Starovoitov
Link: https:/
From: Andrii Nakryiko
[ Upstream commit eed7818adf03e874994b966aa33bc00204dd275a ]
Fix btf_dump test cases by hard-coding BPF's pointer size of 8 bytes for cases
where it's impossible to deterimne the pointer size (no long type in BTF). In
cases where it's known, validate libbpf correctly determ
From: Jason Baron
[ Upstream commit 8ae2d573d0b4afc08b90ac7d73dba2d9da97 ]
We hit a kernel panic due to a divide by 0 in nct7904_read_fan() for
the hwmon_fan_min case. Extend the check to hwmon_fan_input case as well
for safety.
[ 1656.545650] divide error: [#1] SMP PTI
[ 1656.545779]
From: Xie He
[ Upstream commit 77b981c82c1df7c7ad32a046f17f007450b46954 ]
1. Added a skb->len check
This driver expects upper layers to include a pseudo header of 1 byte
when passing down a skb for transmission. This driver will read this
1-byte header. This patch added a skb->len check before
From: David Ahern
[ Upstream commit bcf7ddb0186d366f761f86196b480ea6dd2dc18c ]
h1 is initially configured to reach h2 via r1 rather than the
more direct path through r2. If rp_filter is set and inherited
for r2, forwarding fails since the source address of h1 is
reachable from eth0 vs the packet
From: Mike Christie
[ Upstream commit fa39ab5184d64563cd36f2fb5f0d3fbad83a432c ]
ixgbe_fcoe_ddp_setup() can be called from the main I/O path and is called
with a spin_lock held, so we have to use GFP_ATOMIC allocation instead of
GFP_KERNEL.
Link:
https://lore.kernel.org/r/1596831813-9839-1-git
From: Nicolas Saenz Julienne
[ Upstream commit d7e673ec2c8e0ea39c4c70fc490d67d7fbda869d ]
There is no guarantee to CMA's placement, so allocating a zone specific
atomic pool from CMA might return memory from a completely different
memory zone. To get around this double check CMA's placement befo
From: Adrian Hunter
[ Upstream commit 127d5f7c4b653b8be5eb3b2c7bbe13728f9003ff ]
For shared interrupts, the interrupt status might be zero, so check that
first.
Link: https://lore.kernel.org/r/20200811133936.19171-2-adrian.hun...@intel.com
Reviewed-by: Avri Altman
Signed-off-by: Adrian Hunter
From: Amelie Delaunay
[ Upstream commit 3373e9004acc0603242622b4378c64bc01d21b5f ]
When transfer is shorter than half of the fifo, set the data packet size
up to transfer size instead of up to half of the fifo.
Check also that threshold is set at least to 1 data frame.
Signed-off-by: Amelie Del
On Wed, Aug 19, 2020 at 08:53:42PM +0200, Mickaël Salaün wrote:
> On 12/08/2020 12:06, Mark Rutland wrote:
> > Contemporary W^X means that a given virtual alias cannot be writeable
> > and executeable simultaneously, permitting (a) and (b). If you read the
> > references on the Wikipedia page for W
From: Huang Rui
[ Upstream commit 34174b89bfa495bed9cddcc504fb38feca90fab7 ]
Renoir only has one sdma instance, it will get failed once query the
sdma1 registers. So use switch-case instead of static register array.
Signed-off-by: Huang Rui
Reviewed-by: Alex Deucher
Reviewed-by: Felix Kuehlin
From: brookxu
[ Upstream commit 27bc446e2def38db3244a6eb4bb1d6312936610a ]
In the scenario of writing sparse files, the per-inode prealloc list may
be very long, resulting in high overhead for ext4_mb_use_preallocated().
To circumvent this problem, we limit the maximum length of per-inode
preall
From: Yonghong Song
[ Upstream commit e679654a704e5bd676ea6446fa7b764cbabf168a ]
In our production system, we observed rcu stalls when
'bpftool prog` is running.
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: \x097-: (20999 ticks this GP) idle=302/1/0x4000
softirq=1508
From: Yonghong Song
[ Upstream commit e60572b8d4c39572be6857d1ec91fdf979f8775f ]
Currently when traversing all tasks, the next tid
is always increased by one. This may result in
visiting the same task multiple times in a
pid namespace.
This patch fixed the issue by seting the next
tid as pid_nr
From: Athira Rajeev
[ Upstream commit 17899eaf88d689529b866371344c8f269ba79b5f ]
Performance monitor interrupt handler checks if any counter has
overflown and calls record_and_restart() in core-book3s which invokes
perf_event_overflow() to record the sample information. Apart from
creating sampl
From: Marc Zyngier
[ Upstream commit bf87bb0881d0f59181fe3bbcf29c609f36483ff8 ]
As we can now switch from a system that isn't affected by 1418040
to a system that globally is affected, let's allow affected CPUs
to come in at a later time.
Signed-off-by: Marc Zyngier
Tested-by: Sai Prakash Ranj
From: Boris Burkov
commit a84d5d429f9eb56f81b388609841ed993f0ddfca upstream.
can_nocow_extent and btrfs_cross_ref_exist both rely on a heuristic for
detecting a must cow condition which is not exactly accurate, but saves
unnecessary tree traversal. The incorrect assumption is that if the
extent
From: Filipe Manana
commit bbc37d6e475eee8ffa2156ec813efc6bbb43c06d upstream.
If a transaction aborts it can cause a memory leak of the pages array of
a block group's io_ctl structure. The following steps explain how that can
happen:
1) Transaction N is committing, currently in state TRANS_STAT
From: Marcos Paulo de Souza
commit 282dd7d7718444679b046b769d872b188818ca35 upstream.
Currently a user can set mount "-o compress" which will set the
compression algorithm to zlib, and use the default compress level for
zlib (3):
relatime,compress=zlib:3,space_cache
If the user remounts the
From: Marc Zyngier
[ Upstream commit d49f7d7376d0c0daf8680984a37bd07581ac7d38 ]
Instead of dealing with erratum 1418040 on each entry and exit,
let's move the handling to __switch_to() instead, which has
several advantages:
- It can be applied when it matters (switching between 32 and 64
bit
From: George Kennedy
commit 39b3cffb8cf3111738ea993e2757ab382253d86a upstream.
Add a check to fbcon_resize() to ensure that a possible change to user font
height or user font width will not allow a font data out-of-bounds access.
NOTE: must use original charcount in calculation as font charcount
From: Keith Busch
commit e4b469c66f3cbb81c2e94d31123d7bcdf3c1dabd upstream.
A previous commit aligning splits to physical block sizes inadvertently
modified one return case such that that it now returns 0 length splits
when the number of sectors doesn't exceed the physical offset. This
later hit
From: Hans de Goede
commit eef4016243e94c438f177ca8226876eb873b9c75 upstream.
Before this commit i2c_hid_parse() consists of the following steps:
1. Send power on cmd
2. usleep_range(1000, 5000)
3. Send reset cmd
4. Wait for reset to complete (device interrupt, or msleep(100))
5. Send power on
From: Ming Lei
commit d7d8535f377e9ba87edbf7fbbd634ac942f3f54f upstream.
SCHED_RESTART code path is relied to re-run queue for dispatch requests
in hctx->dispatch. Meantime the SCHED_RSTART flag is checked when adding
requests to hctx->dispatch.
memory barriers have to be used for ordering the
From: Frank van der Linden
commit 5d28ba5f8a0cfa3a874fa96c33731b8fcd141b3a upstream.
vdso32 should only be installed if CONFIG_COMPAT_VDSO is enabled,
since it's not even supposed to be compiled otherwise, and arm64
builds without a 32bit crosscompiler will fail.
Fixes: 8d75785a8142 ("ARM64: vd
From: Alvin Šipraga
[ Upstream commit 8b61fba503904acae24aeb2bd5569b4d6544d48f ]
Remote source MAC addresses can be set on a 'source mode' macvlan
interface via the IFLA_MACVLAN_MACADDR_DATA attribute. This commit
tightens the validation of these MAC addresses to match the validation
already per
From: Ding Hui
commit f1ec7ae6c9f8c016db320e204cb519a1da1581b8 upstream.
Some device drivers call libusb_clear_halt when target ep queue
is not empty. (eg. spice client connected to qemu for usb redir)
Before commit f5249461b504 ("xhci: Clear the host side toggle
manually when endpoint is soft
From: George Kennedy
commit bc5269ca765057a1b762e79a1cfd267cd7bf1c46 upstream.
vc_resize() can return with an error after failure. Change VT_RESIZEX ioctl
to save struct vc_data values that are modified and restore the original
values in case of error.
Signed-off-by: George Kennedy
Cc: stable
From: Kai-Heng Feng
commit 904df64a5f4d5ebd670801d869ca0a6d6a6e8df6 upstream.
Sometimes re-plugging a USB device during system sleep renders the device
useless:
[ 173.418345] xhci_hcd :00:14.0: Get port status 2-4 read: 0x14203e2,
return 0x10262
...
[ 176.496485] usb 2-4: Waited 2000ms fo
From: Thomas Gleixner
commit c330fb1ddc0a922f044989492b7fcca77ee1db46 upstream.
handler data is meant for interrupt handlers and not for storing irq chip
specific information as some devices require handler data to store internal
per interrupt information, e.g. pinctrl/GPIO chained interrupt han
From: Pavel Begunkov
commit 204361a77f4018627addd4a06877448f088ddfc0 upstream.
Don't forget to update wqe->hash_tail after cancelling a pending work
item, if it was hashed.
Cc: sta...@vger.kernel.org # 5.7+
Reported-by: Dmitry Shulyak
Fixes: 86f3cd1b589a1 ("io-wq: handle hashed writes in chain
From: Evgeny Novikov
commit 531412492ce93ea29b9ca3b4eb5e3ed771f851dd upstream.
lvs_rh_probe() can return some nonnegative value from usb_control_msg()
when it is less than "USB_DT_HUB_NONVAR_SIZE + 2" that is considered as
a failure. Make lvs_rh_probe() return -EINVAL in this case.
Found by Lin
From: Vinod Koul
commit d66a57be2f9a315fc10d0f524f670fec903e0fb4 upstream.
Some devices in wild are reporting bunch of firmware versions, so remove
the check for versions in driver
Reported by: Anastasios Vacharakis
Reported by: Glen Journeay
Fixes: 2478be82de44 ("usb: renesas-xhci: Add ROM l
From: JC Kuo
commit 316a2868bc269be8c6e69ccc3a1f902a3f518eb9 upstream.
tegra_xusb_init_usb_phy() should initialize "otg_usb2_port" and
"otg_usb3_port" with -EINVAL because "0" is a valid value
represents usb2 port 0 or usb3 port 0.
Signed-off-by: JC Kuo
Cc: stable
Link: https://lore.kernel.or
From: Sumera Priyadarsini
[ Upstream commit 989e4da042ca4a56bbaca9223d1a93639ad11e17 ]
Every iteration of for_each_available_child_of_node() decrements
reference count of the previous node, however when control
is transferred from the middle of the loop, as in the case of
a return or break or go
From: Tetsuo Handa
commit f8d1653daec02315e06d30246cff4af72e76e54e upstream.
syzbot is reporting UAF bug in set_origin() from vc_do_resize() [1], for
vc_do_resize() calls kfree(vc->vc_screenbuf) before calling set_origin().
Unfortunately, in set_origin(), vc->vc_sw->con_set_origin() might acces
From: Lukas Wunner
commit 27afac93e3bd7fa89749cf11da5d86ac9cde4dba upstream.
If probing of a pl011 gets deferred until after free_initmem(), an oops
ensues because pl011_console_match() is called which has been freed.
Fix by removing the __init attribute from the function and those it
calls.
C
Hi Ulf,
On Tue, Sep 01 2020 at 06:41 -0600, Ulf Hansson wrote:
On Tue, 1 Sep 2020 at 14:35, Ulf Hansson wrote:
On Tue, 1 Sep 2020 at 12:42, wrote:
>
> On Tue, Sep 01, 2020 at 08:50:57AM +0200, Ulf Hansson wrote:
> > On Tue, 1 Sep 2020 at 08:46, Ulf Hansson wrote:
> > > On Mon, 31 Aug 2020 a
From: Rafael J. Wysocki
commit e3eb6e8fba65094328b8dca635d00de74ba75b45 upstream.
It has been reported that system-wide suspend may be aborted in the
absence of any wakeup events due to unforseen interactions of it with
the runtume PM framework.
One failing scenario is when there are multiple d
From: Thomas Gleixner
commit 784a0830377d0761834e385975bc46861fea9fa0 upstream.
Most of the CPU mask operations behave the same way, but for_each_cpu() and
it's variants ignore the cpumask argument and claim that CPU0 is always in
the mask. This is historical, inconsistent and annoying behaviour
From: Lukas Wunner
commit 89efbe70b27dd325d8a8c177743a26b885f7faec upstream.
pl011_probe() calls pl011_setup_port() to reserve an amba_ports[] entry,
then calls pl011_register_port() to register the uart driver with the
tty layer.
If registration of the uart driver fails, the amba_ports[] entry
From: Jens Axboe
commit 56450c20fe10d4d93f58019109aa4e06fc0b9206 upstream.
Make sure we clear req->result, which was set to -EAGAIN for retry
purposes, when moving it to the reissue list. Otherwise we can end up
retrying a request more than once, which leads to weird results in
the io-wq handlin
This approach is more elegant and prevents some problems related to
macros such as operator precedence in expanded expression.
Signed-off-by: Antoni Przybylik
---
drivers/staging/gdm724x/gdm_tty.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/stagin
From: Jan Kara
commit b35250c0816c7cf7d0a8de92f5fafb6a7508a708 upstream.
Currently, operations on inode->i_io_list are protected by
wb->list_lock. In the following patches we'll need to maintain
consistency between inode->i_state and inode->i_io_list so change the
code so that inode->i_lock prot
From: qiuguorui1
commit e579076ac0a3bebb440fab101aef3c42c9f4c709 upstream.
In the current code, when the eoi callback of the exti clears the pending
bit of the current interrupt, it will first read the values of fpr and
rpr, then logically OR the corresponding bit of the interrupt number,
and fi
From: Hans de Goede
commit 7e90057f125c8c852940b848e06e7a72f050fc6f upstream.
Fix 2 unlocked ucsi_run_command calls:
1. ucsi_handle_connector_change() contains one ucsi_send_command() call,
which takes the ppm_lock for it; and one ucsi_run_command() call which
relies on the caller have taking t
From: Alexander Monakov
commit 69d9f4278d0f9d24607645f10e5ac5c59c77a4ac upstream.
Documentation for sysfs backlight level interface requires that
values in both 'brightness' and 'actual_brightness' files are
interpreted to be in range from 0 to the value given in the
'max_brightness' file.
With
From: Cyril Roelandt
commit 9aa37788e7ebb3f489fb4b71ce07adadd444264a upstream.
This device does not support UAS properly and a similar entry already
exists in drivers/usb/storage/unusual_uas.h. Without this patch,
storage_probe() defers the handling of this device to UAS, which cannot
handle it
From: Hans de Goede
commit 0ff0705a2ef2929e9326c95df48bdbebb0dafaad upstream.
Lockdep reports an AB BA lock inversion between ucsi_init() and
ucsi_handle_connector_change():
AB order:
1. ucsi_init takes ucsi->ppm_lock (it runs with that locked for the
duration of the function)
2. usci_init
From: Thinh Nguyen
commit d2ee3ff79e6a3d4105e684021017d100524dc560 upstream.
The usb_request->zero doesn't apply for isoc. Also, if we prepare a
0-length (ZLP) TRB for the OUT direction, we need to prepare an extra
TRB to pad up to the MPS alignment. Use the same bounce buffer for the
ZLP TRB an
From: Thinh Nguyen
commit 5d187c0454ef4c5e046a81af36882d4d515922ec upstream.
The SG list may be set up with entry size more than the requested
length. Check the usb_request->length and make sure that we don't setup
the TRBs to send/receive more than requested. This case may occur when
the SG ent
From: Thinh Nguyen
commit bc9a2e226ea95e1699f7590845554de095308b75 upstream.
Currently dwc3 doesn't handle usb_request->zero for SG requests. This
change checks and prepares extra TRBs for the ZLP for SG requests.
Cc: # v4.5+
Fixes: 04c03d10e507 ("usb: dwc3: gadget: handle request->zero")
Sign
From: Brooke Basile
commit 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 upstream.
Some values extracted by ncm_unwrap_ntb() could possibly lead to several
different out of bounds reads of memory. Specifically the values passed
to netdev_alloc_skb_ip_align() need to be checked so that memory is not
From: Jens Axboe
[ Upstream commit fd7d6de2241453fc7d042336d366a939a25bc5a9 ]
If an application is doing reads on signalfd, and we arm the poll handler
because there's no data available, then the wakeup can recurse on the
tasks sighand->siglock as the signal delivery from task_work_add() will
us
From: Kai-Heng Feng
commit 5967116e8358899ebaa22702d09b0af57fef23e1 upstream.
There's another Raydium touchscreen needs the no-lpm quirk:
[1.339149] usb 1-9: New USB device found, idVendor=2386, idProduct=350e,
bcdDevice= 0.00
[1.339150] usb 1-9: New USB device strings: Mfr=1, Product=2
From: Evan Quan
commit 28e628645333b7e581c4a7b04d958e4804ea10fe upstream.
Do the maths in celsius degree. This can fix the issues caused
by the changes below:
drm/amd/pm: correct Vega20 swctf limit setting
drm/amd/pm: correct Vega12 swctf limit setting
drm/amd/pm: correct Vega10 swctf limit set
From: Evan Quan
commit 9b51c4b2ba31396f3894ccc7df8bdf067243e9f5 upstream.
Correct the Vega20 thermal swctf limit.
Signed-off-by: Evan Quan
Reviewed-by: Alex Deucher
Signed-off-by: Alex Deucher
Cc: sta...@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/amd/powerplay/h
From: Peilin Ye
commit 25a097f5204675550afb879ee18238ca917cba7a upstream.
`uref->usage_index` is not always being properly checked, causing
hiddev_ioctl_usage() to go out of bounds under some cases. Fix it.
Reported-by: syzbot+34ee1b45d88571c2f...@syzkaller.appspotmail.com
Link:
https://syzkal
501 - 600 of 2217 matches
Mail list logo
